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Abstract 


The  BDD-basecl  symbolic  model  checking  Hlgorithm  given  in  [  t.  10]  is  extendc'd  io  handle 
real-time  properties  using  the  houndfd  anlil  operator  [!)].  WV  Ix'lic've  that  this  algorithm, 
which  is  based  on  discrete  time,  is  able  to  fiandle  many  real-time  properti<'s  that  arise  in 
practical  problems.  One  example  of  such  a  i)roperty  is  prioviti/  inr(  rsion.  I'his  is  a  scu  ioiis 
problem  that  can  make  real-time  systems  unpredictable  in  subth'  wavs.  Our  work  discuss«'s 
this  problem  and  presents  one  possible  solution.  I  he  solution  is  formalized  and  verili('d 
using  the  modified  algorithm.  We  also  propo.se  anotln'r  extension  to  the  model  checking 
algorithm.  Timed  transition  graphs  are  transition  graphs  in  which  <'vetifs  may  take  non-unit 
time  to  occur.  The  time  it  takes  for  a  transition  in  a  TT(i  to  hai)pen  is  determined  by  a 
time  interval.  This  allows  the  construction  of  smaller  and  more  realistic  models.  .\  symbolic 
model  checking  algorithm  is  given  for  formidas  using  the  l)ounde<l  until  optuator  in  11(1 


models. 


/ 


1  Introduction 


Temporal  logic  mo<lel  checking  is  a  technique  for  determining  tlie  corrc'ctness  of  finit('-state 
systems.  A  large  number  of  problem.s  in  computer  science  can  be  mocleled  using  tinile- 
state  representations.  Real-time  systems  can  oftetj  b<*  represented  in  such  a  way.  Because 
they  are  used  in  many  critical  applications,  being  able  to  depend  on  them  is  vital.  .Model 
checking  [5,  6]  can  assist  in  demonstrating  the  correctness  of  such  systems.  The  use  of  this 
technique  can  help  increase  the  efficiency  of  their  validation  and  ludp  generate  systems  wit  h 
higher  reliability.  This  work  explains  how  model  <hecking  can  be  applierl  to  the  verification 
of  real-time  systems. 

In  model  checking,  specifications  are  expresserl  as  fortJiidas  of  a  propositional  ti'inporal 
logic.  The  system  to  be  verified  is  modeled  as  a  state-transition  graph,  and  the  gra|)h  is 
searched  to  determine  if  it  satisfies  the  property.  A  symbolic  model  checking  algorithm  is  one 
in  which  the  transition  relation  is  represented  implicitly  by  booleati  formulas,  aiul  states  are 
not  explicitly  enumerated.  The  S.VIV  symbolic  morlel  checking  algorithm  [I.  10]  is  tin*  basis 
of  our  approach.  It  is  exten<led  to  handle  real-time  |)roperties.  l  lu'  original  model  <  heckiug 
algorithm  represents  properties  as  formulas  in  the  temporal  logic  ('d  L  (Compulation  Tree 
Logic).  This  logic  allows  us  to  state  properties  such  as  ’'(‘vent  />  will  happen  sometime  in 
the  future”,  but  not  “event  p  will  happen  in  at  most  .r  units  of  tinu'“.  In  rc'al-iime  systems 
properties  of  the  latter  type  appear  frequently,  because  wc  must  bound  I  In'  execution  lime 
in  order  to  make  the  system  predictable.  VV'e  augmetit  ('  I  L  so  that  it  is  possible  to  express 
real-time  properties  using  the  bountiul  unlil  «/>f  m/or  [()].  and  show  how  to  clu'ck  lormulas 
involving  operators  of  this  type  using  HDD-bas<‘d  sijmbolic  iiumIi  I  i  ln  ck-iiiif  h  rhniiiut  s. 

.Another  extension  to  the  algorithm  comes  from  the  fact  that  all  transitions  in  a  SM\ 
model  take  exactly  one  step  to  occur.  However,  in  realistic  modtds  this  is  not  always  true. 
Various  transitions  frequently  have  dilferent  huigths  in  |)ractice.  It  is  also  possible  that  one 
transition  can  take  different  amounts  of  time  to  occur  in  ililfert'nt  <'xeculious.  Mmleliug 
this  behavior  in  SMV  can  be  achieved  by  expanding  a  uou-uuil  lrausilit)n  into  a  se(|uence 
of  transitions  through  several  iuterme<liat<*  slates.  I’he  stales  inlrodinc'l  by  this  ti'clmi(|u<' 
may  significantly  increase  the  size  of  tin*  model.  We  propose  an  extension  calh’il  rninil 
Transition  (Imphs  (TT(i)  to  handle  this  situation.  .\  l  imed  transition  graph  is  a  transition 
graph  that  has  time  intervals  associated  with  transit  ions.  The  linu’  intervals  spt-rilv  a  lower 
and  an  upper  bound  on  the  time  it  lak<’s  for  a  transit  ion  to  occur.  .\  transition  i  ati  tal«'  a 
iiondeterministic  ntimber  of  steps  to  occur,  within  the  boutt<ls  spei  ili('«l  by  tlit'  1  1(1.  l.oug('r 
transitions  that  are  also  ttoii-deterntiitisiic  (within  spivilied  bt)uuds)  allow  the  imxh’litig  ol 
realistic  systems  withoitt  the  burdrut  of  additig  extra  slat«'s  to  tin*  model.  .\  symbolic  model 
checking  algorithm  is  pr<*sented  for  boumle*!  C'l'L  fortuttlas  iisitig  I  'l'ds  as  moch'Is. 

As  an  example  of  how  th<*se  techtii«|U«  s  cait  be  u.serl.  w»'  tiu)del  I  lu'  prioriln  inn  rsion  [S.  1  1  ] 
problem  using  the  extended  verifi<’r.  Most  real-time  syslettts  rely  oti  priorili«'s  to  maititaiti 
prerlictability.  The  fa«  l  that  higher  priority  tasks  must  lM’ex«’cul('d  b<-fore  lower  priority  tasks 
is  es.sential  for  tin*  corre«  l,ness  of  such  systems.  Ilowc'ver.  low  pri*)ril\’  prtxa'sses  cait  block 
high  pri«)ritv  proresses  iitdeliitilely.  Ix'cause  of  iudirc’cl  priority  <  c)nsl  t  aitti  s.  Ibis  silualiott  is 
called  prionli/  innrsion,  I'liis  behavior  makes  (In*  system  uttpredici able.  It  is  <lescrilx'il  iti 
this  paper.  Several  solutions  exist  li»  this  problem,  and  otte  of  llu»se.  pnorihi  inin  lilann .  is 


presented  and  formally  verified. 

Temporal  logic  model  checking  is  descril>ed  in  section  2.  Section  flisciisses  l/inarv 
decision  diagrams,  which  foim  the  basis  for  the  syml>olic  algorithms  (lescril)ed  in  this  work. 
The  logic  used  in  the  model  checker  is  presented  in  section  1.  and  in  section  o  the  symbolic 
model  checking  algorithm  is  explained.  The  extension  that  allows  real-time  properti<'s  to  be 
expressed  is  described  in  section  6.  In  section  7  timed  transition  graphs  are  present<'rl.  aixl 
a  symbolic  model  checking  algorithm  for  TTC  models  is  given.  .An  »‘xample  of  how  these 
techniques  work,  the  priority  inversion  problem,  is  presented  in  section  S.  Tin*  i)aper  <mi(Is 
in  section  9  with  a  discussion  of  the  results. 


2  Temporal  Logic  Model  Checking 

Extensive  simulation  is  currently  the  most  widely  used  verificalion  techiii<ine.  llow<‘ver. 
simulation  does  not  exhaust  all  possible  behaviors  of  a  computing  system.  Exhaustive  simu¬ 
lation  is  too  expensive,  and  non-exhaustive  simulation  can  miss  important  events,  specially 
if  the  number  of  states  in  the  system  being  verified  is  large.  Otluu-  approaclu's  for  verifica¬ 
tion  include  theorem  provers.  term  rewriting  systems  ami  proof  checkers.  I'lu'se  leclmi(|m's. 
however,  are  usually  very  time  consunting.  ami  rerpiire  user  intervention  to  a  large  ih'gre*'. 
Such  characteristics  limit  the  size  of  the  systems  they  can  verify  in  practic(\ 

Temporal  logic  model  checking  [5.  (i]  is  an  alternative  approa<  h  that  has  achic'ved  signif¬ 
icant  results  recently.  Efficient  algorithms  are  able  to  verify  propertit's  of  ('xtremely  large 
systems.  In  this  technique,  specifications  are  written  as  formulas  in  a  propositional  t('mpo- 
ral  logic  and  computer  systems  are  represented  by  state-transition  graphs.  Verification  is 
accomplished  by  an  efficient  breadth  first  search  procerlure  that  vit'ws  tin*  transition  systcun 
as  a  model  for  the  logic,  and  determines  if  the  specifications  are  satisfied  by  that  nuulel. 

There  are  several  advantages  to  this  aj)proach.  .An  important  one  is  that  the  pnxedure 
is  completely  automatic.  The  mo<lel  che<  ker  accepts  a  mo«h'l  descrii)t  ion.  specilicat  it)ns 
written  as  temporal  logic  formulas  and  determines  if  the  formidas  art*  trm*  or  not  lor  that 
model.  Another  advantage  is  that,  if  the  formula  is  not  trm*.  the  model  checkt'r  will  provi<le 
a  counterexample.  The  counterexample  is  an  e.xecutiou  t  ract*  t  hat  slu)ws  why  t  he  loriiuda 
is  not  true.  This  is  an  extremely  us<*ful  feature  because  it  can  lit'lp  locate  the  sourct*  ol 
the  error  and  speed  up  the  tiebugging  process.  .Anotlu'r  advantag**  is  tin*  ability  to  vt'iily 
partially  specified  systems.  Eseful  iiddrmation  about  tin*  i-orrt'ct ness  t)f  tlu*  syst<>m  can  In* 
gathered  before  all  the  details  have  Ix'en  <letermim*<l.  This  allows  t  he*  verification  of  a  syslxun 
to  proceed  concurrently  with  its  design.  (’onse<|ii<*titly  v<*rilication  can  provide  valuable  hints 
that  will  help  designers  eliminate  errors  *'arlier  and  <lefine  bet  ter  syst  t'iiis. 

Properties  to  be  verifie.'.  are  (h’seribed  ;is  formulas  in  a  prop»)sitional  t«'mporal  logic,  flu' 
system  for  which  the  properties  should  hoUl  is  givi’ii  as  a  stat«*  transit  ion  graph.  It  (h'lines 
a  mo<lel  for  the  temporal  logic  since  the  semantics  of  the  logic  are  given  in  t('rms  ol  state 
transition  graphs.  Tin*  model  <h<*cker  travers<*s  tliis  graph  and  verifies  il  tin*  imxh'l  satisfies 
the  formula.  Checking  that  a  sitigh*  motlel  satisfies  a  formida  is  much  simph’r  than  proving 
that  a  formula  is  valid  for  all  possible  nuxlels.  Ih'can.se  of  this  lact  iiuxlel  clu'ckers  can  be 
more  efficiently  implemenU’d  than  tln'orem  provers.  Clarke  ainl  I'merson  [")]  developi'd  tin* 
first  algorithm.  I'his  algorithm  us«*<l  axljacency  lists  to  r«*pr<'S('nt  tlx*  transition  graph  ainl  had 


a  complexity  that  was  polynomial  in  the  size  of  the  model  and  in  the  length  of  the  formula. 
This  and  other  equivalent  systems  were  able  to  handle  graphs  with  up  to  10"^  states. 

Around  1987,  however,  the  concept  of  symbolic  model  checking  was  introduced  [1.  10].  In 
the  new  approach  the  transition  relation  is  represente<l  implicitly  by  boolean  formvdas.  aii<l 
implemented  by  ordered  binary  decision  diagrams  [Ij.  This  usually  results  in  a  much  smaller 
representation  for  the  transition  relation,  allowing  the  size  of  the  models  being  verified 
to  increase  up  to  more  than  10^“  states.  The  symbolic  mo«lel  clx'cking  apj)roach  vvill  be 
explained  in  more  detail  later. 


3  Binary  Decision  Diagrams 

Ordered  binary  decision  diagrams  (BDD)  are  an  efficient  way  to  represent  boolean  formulas. 
BDDs  often  provide  a  much  more  concise  representation  than  traditional  representations 
like  conjunctive  normal  form  or  disjunctive  normal  form.  I  hey  can  also  be  manipulatt'd 
very  efficiently  [Ij.  .Another  advantage  offered  by  BDDs  is  that  they  provide  a  canonical 
representation  for  boolean  formulas.  This  property  means  that  two  boolean  formulas  ar<' 
logically  equivalent  if  and  otdy  if  they  have  isomorphic  r('pres«'ntations.  It  grc'ally  simplilies 
the  execution  of  operations  that  are  performed  fre<|uenlly  lik<'  cliecking  ('<|ui valence  of  two 
formulas  or  deciding  if  a  given  formula  is  satisHable  or  not.  B«'caus('  of  llx'sc*  characl«*rist  ics. 
BDDs  have  found  application  in  the  implementation  of  matiy  C.AD  tools. 

Boolean  formulas  can  be  represented  by  binary  rh'cision  Inn's.  I'he  no<les  in  the  decision 
tree  correspond  to  the  variables  of  the  formula.  Descendants  of  a  node  are  labelled  with  trin 
or  false.  The  value  of  the  formula  for  a  given  assignment  of  valiu's  to  the  variable's  can  Ix' 
found  by  traversing  the  tree  from  root  to  leaf.  .\t  eaeh  noele  the  desce'inlanl  lalx'lled  with 
the  value  of  that  variable  is  chose'ii.  Ea«  h  leaf  correspomls  to  a  parl  icnlar  assigmiH'nt  to  tlx' 
variables,  and  contain  the  truth  value  of  the  formula  for  that  assignment  . 

This  representation  is  not  particidarlv  compact.  b«'cans('  it  may  store  the  same*  inl<»r- 
mation  repeatedly  in  elilh'ient  pla«<’s.  BDDs  ar<'  elerivod  Irom  binary  d('(  ision  l  n'es  but 
its  structure  is  a  directe'd  acyclic  graph  iusl«'a»l  ol  a  tree.  Ib'dimdanI  iulormation  in  the 
structure  is  avoided  by  e’liminating  <-ommon  subi  re'e's.  As  in  dee  ision  In-e's.  iie'ile's  are-  vis¬ 
ited  in  sequence,  from  roe)t  to  le'al.  llowe've'r.  BDDs  impejse'  a  le)tal  e)rele'ring  in  whieh  the- 
variables  occur  in  this  se(|uence.  Ken-  e'xample.  the'  BDD  in  ligure'  1  re'pre'se'iits  the'  Idrmula 
f  =  (rt  A  />)  V  (c  A  d)  using  the  e)rele'ring  a  <  b  <  c  <  d  fe)r  t  he'  variable's. 

Given  an  assignment  for  the  variable's  in  /  we  ean  ele'e  iele'  if  this  assigtiene'ut  salislu's 
the  formula  by  traversing  the  BDD  from  root  le)  leal.  .\t  e'aeh  node'  we'  le)lle)vv  the'  |>alh 
that  corresponds  to  the  value  assigne'el  te>  the  variable'  in  the'  ne)ele'.  The'  h'af  inelieate's  il 
the  formula  is  satisfied  or  Jie>t  for  that  parlice'-ir  assignme'ut.  .Ne)lice'  that  re'elunelane  y  is 
eliminated  in  two  ways,  (ommon  std)tre<'s  are  not  re'plie  ate'el,  as  e  an  be'  se'e'ii  fre)m  t  he'  pat  hs 
when  «  is  false  and  when  h  is  false*.  .Also,  whe'ii  all  the'  le'ave's  e)l  a  subire'e'  h'ael  le)  the'  same' 
value,  the  subtree  is  e'liminateel.  anel  a  h'af  e)f  that  value'  is  inse'rte'el  at  its  plae  e'.  N'otie  e'  in 
the  figure  that  when  a.  anel  b  are  be)th  true  a  sul)tre'e'  e-e)ntaining  t  he'  variable's  c  anel  d  is 
eliminated  because  all  e)f  its  leave's  wexdd  have*  the*  value*  I. 

Fe>r  any  boole;an  forrnidaand  with  a  fix<*el  variable*  e)rele*ring  the'ce*  e'xists  a  unie|ue'  BDD  [1|. 
The!  size!  e>f  the  BDD  is  e-ritie-ally  elependenl  e)ii  the*  variable*  e)re|e*ring.  It  is  e'xpone'utial  in 


0  I 


Figure  1:  BDD  for  formula  (a  A  />)  V  (r  A  d) 

the  number  of  variables  in  the  worst  case.  Given  a  goo«l  v'ariable  oivlering.  however.  I  In* 
size  is  linear  in  most  practical  cases,  (’sing  a  goo<l  variable  ordering  is  very  important.  Mill 
finding  the  optimal  order  is  in  itself  a  NP-cornplete  problem.  .Nevertheless,  there  are  many 
heuristics  that  work  quite  well  in  practice. 

Efficient  algorithms  exist  to  handle  boolean  formulas  represented  by  MDDs.  Giv<'n  131)1) 
representations  for  /  and  <j.  algorithms  for  computing  ->/  and  /  V  (j  are  given  in  [1].  .\lgo- 
rithms  for  quantification  over  boolean  variables  and  substitution  of  variable  names  arc'  also 
required  by  the  model  checker.  It  is  simple  to  comptile  the  rc'striction  of  a  formula  /  wit  h  a 
variable  v  set  to  0  or  1.  We  will  denote  the  restriction  of  /  with  e  set  to  0  by  /ji—o.  and  the 
restriction  of  /  with  v  set  to  I  by  /|„=t.  The  formula  3r[/]  is  defined  as  /|,=o  V/|,.-i.  and 
Vri[/]  is  defined  as  -'3e[~’/].  Substitution  of  variable  names  can  be  accomplislu'd  using  llu' 
quantification  algorithm.  f<v  *—  ie>  denotes  the  substitution  of  variable  ic  for  variable  r  in 
formula  /.  It  is  computed  as  f<v  ♦—  ir>=  3r’[(e  ir)  A  /].  'Phese  operations  are  jverfornK'd 
very  frequently  in  the  model  checker,  and  more  ellicient  algorithms  are  usc'cl  in  the  act  ual 
system.  Describing  these  algorithms  is  out  of  the  scope' of  this  papc'r,  but  tln'y  can  b<'  found 
in  [2|. 

4  Computation  Tree  Logic 

Computation  tree  logic,  CTL.  is  the  logic  used  by  SMV  to  ('xi)ress  properlic's  that  will  be 
verified.  Computation  /rce.s  are  derived  from  state'  transition  graphs.  Vhe'  graph  structure' 
is  unwound  into  an  infinite  tiw  rooted  at  the  initial  state',  as  se'e'n  in  figure'  1.  Paths  in  this 
tree  represent  all  possible  e'ompiitations  e>f  the'  program  be'ing  me)elelle'e|.  I’evriiiulas  in  ('  PL 
refer  to  the  e:omputation  tree  derived  from  the  nioele'l.  CTL  is  classifie'el  as  a  hrnnchiiifi  limr 
logic,  because  it  has  operators  that  elescribe  the  braneiiing  structure'  e)f  this  t  re'e'. 

Formulas  in  CTL  are  built  from  atomic  propositions,  whe'ie  e>ae  h  [iroposit  ion  e  orre's|)e)iiels 
to  a  variable  in  the  model,  boolean  e-onectives  -<  anel  A,  anel  temporal  operators.  I'iae  h 
operator  e:onsists  of  two  parts;  a  path  eiuantifier  fullowe'el  by  a  l.e'inpevral  e)i)e'rate)r.  Path 
quantifiers  inelicate  that  the  pro[)e’rty  should  be*  true  e)f  all  paths  (Venn  a  give'ii  state'  (A), 
or  .some  path  from  a  given  state  (E).  'Phe  te'm|K)ral  e|uantilie'r  ele'seribe'  heuv  e've'iils  shevuiel 


Figure  2:  State  transition  graph  and  corresponding  computation  tree 


be  ordered  with  respect  to  time  for  a  path  specified  by  the  path  quantifier.  Th(*v  have  tlu* 
following  informal  meanings; 

•  F  ^  holds  sometime  in  the  future)  is  true  of  a  path  if  there  e.vists  a  state  in  the 
path  that  satisfies 

•  G  ^  (ip  holds  globally)  is  true  for  a  path  if  is  satisfied  by  all  states  in  the*  i)ath. 

•  X  v?  (v’  holds  in  the  ne.xt  state)  meatis  that  is  tru(>  in  tin*  ne.vt  stat('  of  tlu'  path. 

•  9  U  0  ((,3  holds  until  li'  holds)  is  satisfied  by  a  path  is  i.‘  is  true'  in  sonu'  stat('  in  the 
path,  and  in  all  preceding  states,  -p  holds. 

Formally,  the  syntax  for  CTL  can  be  define<l  by: 

•  Every  atomic  proposition  p  is  a  CTL  formula. 

•  If  /  and  fj  are  CTL  formulas.  I.heu  so  are  /  A  </.  EX  /.  EG  /  and  Ef  /  U  (/j. 

The  semantics  of  (,'TL  formulas  are  defined  with  r<’specl  to  a  lalx'h'd  st  ate-i  ransit  ion 
graph,  which  is  a  .>tuple  M  =  (P.S.  L.  when*  P  is  a  s<'t  of  atomic  pro|>usit  ions.  > 

is  a  finite  .set  of  states.  L  is  a  function  labeling  each  state  wit  h  a  s('t  of  atomic  proposit  ions. 

.V  C  S  X  S  is  a  transition  relation,  and  .S)  i«  tlte  set  i>f  initial  state's.  .\  path  is  an  infinite' 

sequence  of  states  .so-st-sj....  such  that  ;V(.s,,  .s,^i )  is  tnu'  for  e've'ry  i. 

If  /  is  true  in  a  state  .s  of  structure  ,\4.  we  write  .W..s  /.  VVe  write  .Vf  |=  /  if  .W..s  |=  / 

for  all  states  .s  in  The  satisfaction  relation  is  «lefine«l  inductively  as  follows  ((liven  the 
model  M,  we  abbreviate  ,L(.  .s  f=  p  by  .s  f=  p): 

1.  If  is  the  atomic  proposition  r  €  P.  then  if  and  only  if  e  ^  /.(.s). 

2.  .<•  ^  -'p  iff  it  is  not  the  ca.se  t  hat  j=  p.  .s  |=  A  tr  iff  .«<  (=  p  and  .s  f= 

3.  .s  EX  p  iff  there  exists  a  path  jt  =  starting  at  .s  =  .s„.  such  that  .s,  |=  p. 
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4.  1=  EG  tp  iff  there  exists  a  path  ir  starting  at  s  such  that  for  ('very  state'  s'  on  tt. 

s'  ^  ss. 

0.  sHElvU  V’]  iff  there  exists  a  path  tt  =  soSjSj...  starting  at  s  =  so  and  some  /  >  0 
such  that  and  for  all  j  <  '••'‘7  N  r- 

The  following  abbreviatons  are  used  in  CTI.  fornndas; 

AX  /  =  -EX 
EF  /  =  E[trueU/] 

AF  /  =  -EG  -/ 

AG  /  =  -EF  -/ 

A[/Ug]  =  -E[-(/U-  /  ^  “'.'/I  ^  -EG-//. 

Some  examples  of  CTL  formulas  are  given  Ix'low  to  illustrate  tlie  expre'ssivc'iK'ss  of  the 

logic. 

•  AG(ref/  —*  AF  ack):  It  is  always  I  he  ca,s<'  that  if  t  he  sigttal  v<  (/  is  liigh.  t  h('ti  ('ve'tit  uallv 
ack  will  also  be  high. 

•  FF (started  -'read.!/):  It  is  possible  to  get  to  a  state'  whe're'  .^tiirltd  holds  l»ut  niidij 
does  not  hold. 

•  AG  EF  restart:  From  any  state  it  is  possible  to  ge't  to  tlie  tu  start  state'. 

•  AG{send  — e  A[.st’ne/  U  /•(((’]);  It  is  always  t  he' case  that  if.se  ml  occurs,  tlie'ii  event  uall\ 
reev  is  true,  atid  itntil  that  time.  .s«>/(/  must  re'ittaiit  true. 


5  Symbolic  Model  Checking 

Early  model  checking  algorithms  le'presented  the  transit  ioti  gtai>h  ihn)m!,h  .idjace'iu  \  lists. 
.-Ml  existing  states  were  ex|)licitly  enumerate'd.  Since’  the  ttiode’l  t  he'e  kitui  prolih  iu  has  an 
e.xponential  behavior  in  the  worst,  cfuse.  this  freejuentl\’  eause'd  state'  eNplosion  jeioldents. 
The  size  of  .systems  that  cotild  be*  verilie'd  was  se've'rely  limite’d.  Syittleolie  mode'l  <  he'ckitiu 
represents  stales  and  transitiejus  using  boole'aii  formulas,  l  ids  usually  “e'ue'iate's  ■-mallet  u  p 
resentations,  because  it  can  autottiatically  elindnate'  re'duiidaiicv  in  t  lie'  !>ia()h.  Impletiie'ui  imi 
these  boolean  formulas  as  BDDs  leads  to  very  ellicie’til  ali^orilhms  lor  model  che’ckiun  that 
are  able  to  verify  much  largc’r  systems  than  previous  one’s,  l  ids  s<'<  ti(Mi  will  ex’dain  iIk' 
symbolic  model  checking  approach. 
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Representing  the  Model 

A  model  of  the  system  in  our  algorithm  is  a  labeled  state-transition  graph  ,\4.  and  assert  i(uis 
about  the  system  are  expressed  as  CTL  formulas.  The  key  to  tlie  elficiency  of  tlie  algoritluii 
is  to  use  BDDs  to  represent  the  labeled  state-transition  graph  and  to  vt'iily  if  tlie  lormula  is 
true  or  not.  The  following  method  will  be  u.sed  to  repre.sent  th<’  transition  relation  as  a  BI)I). 

.Assume  that  system  behavior  is  determined  by  the  l)oolean  variaities  I  =  {/•,, . /•„_i  }.  Let 

I''  =  {i’q,  ....  e' }  be  a  .second  copy  of  these  variables.  VVe  will  iis<'  the  variables  in  I  to 
represent  the  value  of  the  variables  in  the  current  state,  aixl  tin'  variables  in  \  '  to  represent 
the  value  in  the  next  state.  The  relationship  Ix'tween  values  of  variable's  in  the  eurn'iit  and 
the  ne.xt  states  is  written  as  a  booh'an  formula  using  \  and  I  '.  lliis  will  the 

boolean  formula  .V  representing  the  transition  relation.  1  his  lormula  will  then  In'  converted 
to  a  BDD. 

.Vfr,,.  ,...e„_,.c', . e'_|) 

VVe  represent  states  by  tlie  values  of  tin*  atomic  propositions  in  those  state's.  In  oreie'r  to 
guarantee  that  we  ean  identify  state's  unie|ne'iv.  we*  must  make*  the*  assnmptiejii  that  dilfe'te-nt 
states  have  elifferent  labeling  of  prope)sitie)ns.  .More  Idrmally.  we*  assume*  that  lbi-  any  two 
states  .S|  and  .s-^  in  if  A(>i)  =  ihe*!!  .s,  =  .s_,.  This  assninpt  ie)n  de)e's  ne)t.  Innve've'r. 

impose  any  restrictions  e)n  the  nuiele*!.  sine’e  e'xtra  ateunie-  pre)|)e)sit ie)ns  can  be*  adeh'el  in  oreh'r 
to  make  Z,(si)  ^  for  elistine  t  states  .s,  anel  s-i  [d]. 

Fixpoint  characterization 

('e)nsider  a  labeleel  transition  graph  .Vd  with  se't  e)f  state's  We  ean  ele’ne)te'  a  lattie  e'  ol 
predicates  over  by  Pr(<l(S).  where*  e'ae-h  i)re'elicate'  is  ide'iit  iiie'el  with  the*  se-t  e)f  state's  in 
that  make  it  true,  anel  use  se't  inclusie)n  as  eu'elering.  .\  fnintie)nal  /■’  that  maps  te) 

Pr<(l{S)  is  e-alleel  a  pirdiralf  I riinsfornit  r.  itdbrmally,  Pi  fdiS)  is  a  se't  of  stale's,  and  /•'  is  a 
bmetion  from  se'ts  of  state's  ter  se-l  e)f  stale's. 

.Vs  elescribe'el  in  [7j.  if  a  pre'elie-ale*  I  ransibrme'r  /-  is  me)ne)lonic.  it  has  a  le-asl  li.N|)e)int  Ifp 
z[nz)]  =  U, /•’'(/e//.sf  )  anel  a  gre'ale-sl  lixpeeini  gfp  Z[/-’iZi]  =  C\,  I-'' { I  rii(  i.  VVe  can  eompnlc 
be)th  li.xpejints  bv  ite'ratiejii.  Starling  with  Z"  =  lh>r  Ifp)  e)r  /"  —  tnn  i  le)r  gfpi 

we  have  Z’"'''  =  Z'  IJ  fe>r  Ifp  anel  Z'"*"'  =  Z'  H  I'iZ')  for  gfp.  The'  liNi)e)inl  is  found 

whe'ii  Z'  =  Z‘‘*''.  If  the*  number  e)f  e'le'ine'iits  in  PifdiS)  is  linile'.  le'rmiiial  ie)n  is  guarani  e'e-el. 
be'eause*  tliere  ean  be*  tie)  inlinile'  se'e|ne'ine' e)l  Z's  sue  h  that  Z'  ^  Z'‘*''. 

VVe*  can  ielentify  e'ae-|i  ("l  b  lormula  /  with  the*  |)re'elicale'  {.s  )  .VJ..-*  [=  /}  in  Pr(d{S] 
(this  is  the*  se't  of  state's  that  satisfy  /).  riie'ii.  we*  e-an  e  haracle'rize' e'ae  h  basie-  (’  l  b  le'inpenal 
e)[)erator  as  lixpeeints  eif  an  ap|)re)priate*  pre'elieale*  I  ransfe)rm('r.  1  he*  se't  ot  stale's  that  salisl\ 
the  until  erperaterr  is  given  by  the*  h'ast  lixpeeint  E[./U.e/]  e)f  Z  =  e/  V  (  /  A  EX  Z).  Inhirmally 
E[/U,ey]  is  true  at  stale  .s.  if  e'ithe'r  e/  is  true  in  .s.  or  /  is  t  rue*  in  and  I  in'ie*  t'xisis  a  sue  e  e'sse)r 
state  where  E[/Ue/]  is  true*,  fhe*  se*!  e)f  stale's  that  satisfy  the*  EG  ope'rale)r  is  gi\e'n  In'  the* 
greate'st  fixperint  EG  /  eif  Z  =  /  A  EX  Z.  Informally,  this  me'ans  that  EG  /  he)lds  in  a  stale- 
if  f  hejlels  in  .s  anel  EG  /  heehls  in  a  sue-e-e'sse)r  slate*  e)l  .s.  Preietls  that  the*  eharae-|  e'lizat  ieeiis 
abejve  ee)rre'spe»nel  lee  the*  e'Xpe'cle'el  se'inanties  are*  give'll  in  [7]. 


The  Model  Checking  Algorithm 

Given  a  CTL  formula  and  a  model  M  represented  as  described  above,  we  want  to  v<’rifv  if 
^  is  satisfied  in  the  initial  states  of  M.  The  model  checking  algorithm  is  defined  inductively 
over  the  structure  of  CTL  formulas.  It  accepts  the  formula  as  an  argument  (and  .Vd  <ls  an 
implicit  argument),  recurses  over  the  structure  of  v?  and  returns  a  BDD  that  has  one  boolean 
variable  for  every  atomic  proposition  in  V'.  The  resulting  BDD  is  true  in  a  state  if  and  only 
if  is  true  in  that  state.  The  algorithm  is: 

•  If  V?  is  an  atomic  proposition  p.  return  the  BDD  that  is  true  if  and  only  if  p  is  true. 
This  is  simply  the  BDD  for  p. 

•  If  is  “>/  or  fAg,  use  the  standard  BDD  algorithms  for  computing  boolean  connect  ives. 

•  If  is  EX  /,  then  we  must  verify  if  /  is  true  in  a  successor  state  of  the  current  stale. 
EX  /  is  true  in  a  state  t  if  and  only  if  there  e.xi,sts  a  state  .s  such  that  /  is  true  in  stale 
.s.  and  there  e.xists  a  transition  from  /  to  .s: 

/1=EX/  iff  3.s[/{.s)  A  .V(/..s)] 

where  / (.s)  means  the  value  of  formula  /  in  state  s.  To  cotnpiite  this  value  we  snbsl  it  nte 
the  free  variables  in  /  by  their  values  In  state  .s  usijig  the  snbstiintioji  algorithm.  In 
other  words,  /(.s)  is  true  if  and  only  if  .■<  )=  /.  The  relational  product  3.s[/(.s)  A  .V(/..h)] 
can  be  computed  using  the  basic  operations  on  BDDs.  as  descrilx'd  in  [:I|.  llow('ver.  this 
operation  occurs  frequently,  and  it  is  important  to  compute  it  in  an  elficieni  mann<*r: 
efficient  algorithms  for  this  purpose  are  disctissed  in  [2]. 

•  If  y?  is  E(/U//].  the  computation  of  the  set  of  states  that  satisfy  can  be  chaiacic'ri/t'rl 
as  a  fixpoint  computation,  as  shown  [u-eviously.  The  BDD  that  represents  llu'  stales 
where  E{/U//)  is  true  can  be  <  om|)ute«|  by  finding  t  he  h'asi  fi.xpoint  E[/U(/]  i)f: 

E[/U5/j=pV(/AEX  E[fVg]) 

•  If  r  •J'  EG/.  th<*  algorithm  is  defitusl  in  a  similar  wav.  It  stvirches  for  llu'  greal<'sl 
fixp«>int  EG/  instea<l.  an<l  us«‘s  the  following  formula: 

EG/  =  /A  EX  EG/ 

•  All  other  CTL  operators  are  written  in  terms  of  l  h«’  ones  pr(’s«'nt«'<l. 


6  Real-Time  Logics 

The  logic  CTL  can  be  used  to  specify  many  prop<M'ti(’s  of  liuit.c'  stale  systc'ins.  IIow<*v(M'. 
there  is  an  important  class  of  properties  that  cannot  be  ade<|nat<'ly  haudU'd  using  this  logic. 
This  class  consists  of  the  properties  that  involve  gnanHlolivc  const  rainl.s.  that,  is.  llu'  cla,ss 
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of  properties  which  place  bounds  on  response  time.  In  CTL  it  is  possil)le  to  e.xpress  tlie 
property  that  some  event  will  happen  in  the  future,  but  not  that  some  event  will  happen  at 
most  X  time  units  in  the  future.  In  this  section  we  will  discuss  one  way  of  augmenting  CTL 
to  permit  representation  of  such  properties. 

In  order  to  represent  bounded  properties,  we  add  time  intervals  to  the  e.xisting  t«*m|)oral 
operators,  as  described  in  [!)].  The  basic  tem|>oral  operator  that  we  use  in  our  real-tinu'  logic 
is  the  bounded  until  operator  which  has  the  form:  U(„.(,],  where  [«./>]  deliiuN  t  he  time  interval 
in  which  our  property  must  be  true.  VVe  say  that  /U[,,.b).fy  is  true  of  soiik'  path  if  </  holds  in 
some  future  state  .s  on  the  path.  /  is  tni«*  in  all  states  between  the  beginning  of  the  path 
and  s,  and  the  distance  from  this  state  to  .><  is  within  the  intc'rval  [n./>].  The  boiindt'cl  EG 
operator  can  be  defined  similarly.  Other  temporal  operators  are  defined  in  terms  of  these. 

More  formally,  we  extend  our  CTL  semantics  to  include  the  bonndtd  until  by  adding  the 
following  clauses  to  the  formal  semantics  given  in  sectioti  f: 

6.  .9  f=  iff  there  exists  a  path  x  =  .s„.s,.s.2...  starting  at  .s  =  .s„  aiul  some  /  such 

that  a  <  i  <  b  and  .s,  |=  and  for  all  j  <  i.Sj 

7.  .s  ^  EG|„.(,j(^  iff  there  exists  a  path  x  =  .s„.S|.s^...  starting  at  .s  =  .s,,  and  sonu’  /  siu  h 
that  a  <  i  <  b.  Sj  |=  ^  for  all  J  <  i. 

.4s  an  example  of  the  use  of  the  boundtd  until  consider  the  property  “It  is  always  line 
that  p  may  be  followed  by  </  within  •{  time  units”,  this  i)roperly  can  h<-  expressed  as  AG{p  — ► 
EP[o.3)9).  The  bounded  F  operator  is  derived  from  the  boundtd  until jusi  as  in  l  In*  nnl>onn<le(i 
case,  i.e.  EF(a,6)/  s  E[trueU(o.fc)/]. 

In  order  to  implement  this  operator,  we  will  use  a  fixpoint  computation  that  is  similar  to 
the  one  implemented  in  CTL.  It  is  easy  to  s«m*  that  the  formula  can  l)e  exi>resse«i 

in  the  form: 

if  n  >  0  and  6  >  0:  =  /  A  /t.\7:[/U(„_, 

if  6  >  0:  =  <1  V  (/  A  /•;.VA’(/U[„.,,_|].f/|) 

and  =  ft 

Other  operators  are  f|efine<l  similarly. 

Consider  the  first  of  these  ca.s<*s.  VVe  <<)m|)iile  tliesets  of  stales  where  /  is  true  for  n  sl«>ps. 
During  this  computation,  a  fixpoint  may  In*  rea<  h<v|  Iwfon*  u  iU'ialions  have  pa.ssed.  VV  lu’ii 
this  happens,  we  can  skip  to  the  second  *as<*.  Hy  using  this  opt imi/al ion.  the  nnml>er  of 
required  iterations  may  b<*  rediued  when  lh<*  lime  interval  is  larg<*.  but  a  lixpoini  is  r<'ached 
quickly.  The  same  optimization  can  also  a|>piied  in  the  se«-ond  ras<>.  If  a  fixpoint  is  reacin'd 
before  b  —  a  iterations,  witli  b  ainl  n  being  respectively  the  upper  and  hiwer  bounds  of  the 
operator,  we  can  immediat<*ly  procei'd  to  tin*  thini  case. 

7  Timed  Transition  Graphs 

The  extensions  pr(!si*nte»l  above  allow  the  verification  of  a  iinmlxr  of  real-time  systems. 
However,  transition  graphs  have  another  im|)ortant  limitation  for  iiHxhding  time  bounded 
computing  systems.  All  transitions  happen  in  one  step.  In  a«  tual  syshuiis  <*v<'nts  tak«> 


(/.«) 

.So  — >•  -Si 
is  ec|iiivalent  to 


Figure  3:  A  non-unit  transition  in  a  TTCl 

different  amounts  of  time  to  occur.  Moreover,  the  time  it  takc's  for  some  event  l.o  take  i)lace 
may  change  in  different  executions.  We  call  this  behavior  hounded  shitlenufj.  \  transition 
can  stutter  if  the  time  it  takes  to  occur  is  not  fixed,  i)ut  is  instead  determined  by  a  time 
interval. 

.A  transition  that  takes  more  than  one  step  and  stutters  can  also  l)e  modelerl  in  a  transition 
graph.  The  longer  path  ran  be  expanded  into  a  .series  of  one  step  transitions.  Fxtra  states 
and  transitions  have  to  be  added  to  the  transition  graph.  This  makes  the  verilication  process 
more  complex.  The  number  of  states  added  to  the  system  is  proportional  to  t  he  size*  of  tlu' 
transitions  being  expanded.  Extra  transitions  between  states  have  to  be  added  to  int,roduc(‘ 
bounded  stuttering.  If  there  are  many  non-unit  transitions,  or  if  the  individual  transitions 
are  long,  this  can  cause  state  explosion  problems. 

We  introduce  the  idea  of  Timed  Trnnsilion  (implis.  TTO,  to  help  alleviate'  this  problem. 
TTGs  remove  the  unit  transition  limitation  from  transition  graphs.  With  each  transition  iti 
a  TTG  is  associated  a  tinte  range  of  the  form  («,/>],  wlu're  n.h  G  N.  .A  transition  labelled 
with  [a,  6]  will  happen  in  .r  steps,  where  a  <  .r  <  b.  This  extension  allows  transitions  with 
length  longer  than  one  and  also  introeluces  boiiinled  stuttering.  .A  transition  take's  .r  ste'ps. 
but  X  is  chosen  nondeterministically,  within  the  bounels  deline'el  l)y  a  anel  />. 

Formally,  a  timed  transitieui  graph  is  a  o-tuple  .VI  =  { P.  S'.  L.  fi, ,%).  whe'ie'  is  a  se'l 
of  propositional  variables,  .s'  is  a  .set  e)f  states,  L  is  a  fnne  tie)n  labeling  e'ach  stale'  with  a 
set  of  propositonal  variable's  that  are  true  in  that  state*,  .Si  is  a  .se'l.  ejf  initial  slate's  aiul 
/?  C  5'  X  iV  X  X  .s'  is  a  transition  relatieui.  Informally,  /f(.s„. /,  n.  .s, )  indie  ate's  that  the* 
transition  betwf'en  state  .s„  and  .s,  can  take'  from  /  te>  u  steps  Id  occur. 

The  SMV  model  clicking  algorithm  e-au  be  e'xteiule'el  te)  verify  prerpe'rtie's  of  T  TG  mejeh'ls. 
Procedures  for  handling  nriboutideel  prejpe'rties  anel  be)e)le'an  eonective's  can  be*  ii.se'd  vvitluxit 
modification.  To  verify  bouneleel  pre)|)ertk's  we  must  first  e'xte'iiel  the*  re'pre'se'iitation  of  the' 
transition  relation  to  include.'  the  bounels  for  e'ach  transitieni.  'I'lie  alge>rithm  ii.se's  a  re'latiexi 
Tt  derivenl  from  R  to  represent  the  transition  relatiexi.  7?.(.s„, /.  .S| )  is  true*  iff  the'ie'  ('xists 
so,l,u,s\  and  t.  such  that  /?(.S(), /,  h,.s,  )  is  a  transitieni  e)f  the  mewle'!,  anel  I  </<  ii.  The' 
algorithm  encodes  variables  and  states  as  vectors  e)f  bemle'an  variable's.  The'  time'  variable'  / 
is  also  encoded  as  a  vecte)r  of  be)olcan  variable's.  In  the*  eliscussion  be'low,  the)ugh,  we'  eh)  ne)t 
distinguish  between  the  value  of  a  state  or  t  anel  its  e'rie-e)eling. 

The  model  che^cking  algorithm  is  an  extension  e)f  the*  e)riginal  e)ne.  It  is  cennpute'el  by 
an  iterative  procexlure.  The  algorithm  maintains  a  e-iirre'iit  se't  of  state's  that  satisfy  y>. 
E^h  iteration  finds  states  that  have  a  transition  to  an  e'le'inent  in  the*  .se't  cexnpiitc'el  by  the* 
previous  iteration  anel  updaters  the  current  set.  'I'lie  lixpe>int  of  this  ite'ratie)u  pre)ce'ss  is  the* 
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set  of  states  that  satisfy  For  example,  to  Hiul  the  set  of  states  that  satisi  ■v-  E[/Uf„,,,r/]  we 
use  the  method  outlined  below. 


.s  h  E  [  /  (J  ]  iff  3  <.  s  1=  (E  [  /  U,  ]  A  «  <  /  <  6  ] 

We  compute  the  houndal  until  for  an  interval  as  an  extcmsion  of  the  bounded  unt  il  for  a 
single  time  t.  Notice  that  /(.s)  iff  .s  [=  /. 

E[/U,fl]  = 

{g{s)  A  /  =  0)V 

3ti,t2,s'  [./(s)  A  (E  [,/  Ut,  g  ])(•'*')  A  (.s.  /'i,  .s')  A  /  =  / 1  +  /  j] 


The  formula  g{s)  A  t  =  0  is  true  if  state  .s  satisfies  g  and  the  time  boitnrl  allows  the  patli 
to  have  length  0.  The  formula.  (E[/U/,  </])(>')  A  (.s. /-j.  .s'),  is  triK'  if  .s  has  a  t  ransit  ion 
to  a  state  s'  and  s'  satisfies  E[/Uf,/y].  To  verify  if  .s  satisfies  th<’  bounded  property  we  must 
see  if  the  length  of  the  path  from  s'  added  to  the  length  of  the  i)ath  from  s  to  .s'  is  within 
the  bounds,  t  =  (Jt,  +  tj)  verifies  if  this  rer|uirement  is  satisfied  by  .s'  and  some'  t^.l,  that 
satisfy  the  transitions  on  the  graph.  Eejuations  that  compiiU'  the  set  of  state's  that  satisfy 
other  operators  are  similarly  defined,  aixl  will  not  be  pre'sente'd  lu'ie'  for  bre'vity. 

The  TTG  approach  does  not  suffer  from  the  same  probh'ins  as  the  path  (‘.\patision  le'ch- 
nique,  but  it  does  add  to  the  complexity  of  the  fixpoint  calcnlation.  I’he  ('xislential  rpian- 
tification  algorithm  must  be  applied  to  the  variables  that  r('|)re.s('nt  t  he  t  ime'  of  a.  I  ransit  ion. 
This  is  an  expensive  operation,  and  can  also  cau.se  state'  explosie)n  probh'ins.  llowevi'r.  t  he' 
TTG  algorithm  is  more  efficient  than  unrolling  .states.  The  ninnl)e'r  of  Inioh'an  variable's 
added  to  the  model  to  represent  the  time  range  is  |)ro|)ort  ional  to  logie.  whe're  ii  is  I  lie' 
largest  upper  bound  of  all  transitions.  The  e'xiste'utial  epiaiil ification  is  ap|>lie'el  to  ihe'se' 
variables.  Also,  this  approach  is  inde'|)enele’nt  of  the'  number  of  long  transitions  ami  deios  not 
introduce  another  overheael  for  stuttering  transitions. 

8  Examples 

As  an  example  (jf  how  these  te'chni(|Ue's  e  an  Ix'  applie'el  to  re'al-time'  syste'ins.  wi'Ml  mode'l 
the  priority  inversion  problem,  and  a  solutie)n  to  this  i)roble'm.  priority  inin  ritann .  Our 
model  shows  how  priority  inversion  affe'cts  the*  i)re'elicta.bility  of  re'al-timi'  syste'ins.  anel  lu)w 
inheritance  .solves  the  problenn.  A  el(^s^rlptiou  of  the  pre>ble'm  anel  the'  .solulie)u  is  first  give'ii. 

Priorities  are  essential  in  real-time  syste'ins.  d'he'  eorre'ct  orele't  ing  of  task  e'xe'ciil  ion  is  a 
fundamental  problem  that  must  be  sedve'el  if  the  system  is  to  be'  pre'die  tabh'.  .Many  sche'eliiling 
policies  have  been  elevelope'el  to  define  what  e-onstitiites  a.  e’orre’ct  orele'iing  anel  to  e'lildree' 
this  ordering  during  the  ('xecntie)n  of  the  syste'in.  If  a  se  lu'elnliiig  peilicy  r<'<(nire's  that  highe'r 
priority  tasks  execute  before  lower  (iriority  tasks,  it  is  (lossible'  for  a  le)W  priorit\-  pre)e  e',s,s  to  be' 
executing  while  a  highe'r  prmrity  one  is  bleie  ke'el..  'Phis  situatie)u  is  e  alle'el  priority  inn  r.'<ion. 
Unbounded  priority  inversions  oe-e-iir  wlie'ti  high  priejrity  pre)ee'sse'.s  are'  bhie  ke'el  iiiele'finite'ly 
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Figure  1:  Domuled  priority  iiiv<Msi()ii 

by  low  priority  processes.  When  this  liappens.  the  system  may  Ix’coiih'  imprc'cliciable.  riie 
correct  ordering  of  task  e.Kecntion  will  he  com  prom  i.s<'(l.  and  tin'  syslcnn  may  fail  to  satisfy 
its  specification. 

In  order  to  present  the  problem  in  a  more  concrete'  framework,  we  will  introduce'  a  hypo¬ 
thetical  air-traffic  control  system.  VVe  will  concentrate'  onr  analysis  in  two  of  l  he*  pre)e  ('sse's  in 
the  system.  The  first,  calh’d  sensor,  irads  airplane  position  elata  from  raelars.  sets  alarms  ejti 
catastrophic  conditions  (conditions  that  cannot  wait  for  a  eh'taileel  analysis),  anel  puts  the' 
data  into  shared  memory.  The  e)ther  i)roce’ss  is  the  irporff  r.  tliat  reaels  the'  elata  ee)lle’ete'el  by 
the  sensor,  and  updates  the  tralfic  renitroller  screens.  The  sensor  is  a  liigh  prie)rity  i)re)e  e'ss. 
because  it  processes  urgent  events,  anel  must  imt  !)e  ble)cke'il  by  e)t  he'r  proce'sse's.  I’he'  n  porit  r 
on  the  other  hand,  is  a  low  priority  proe-e'ss.  .Since*  it  ele)e'sn't  pre)ee'ss  nrge'iil  e'xe'uts.  it  tuny 
be  delayed  by  other  more  impe>rtatit  tasks. 

The  sensor  and  the*  riporl<r  pre)e'e'sse's  sliare'  elata.  l’e>  ae’e’e'ss  this  elata  appropriate'K'. 
synchronization  is  necessary.  In  our  system,  the  synchronization  is  imple'im'nte'el  by  a  mule-v; 
variable  which  guarantees  mutual  e’.xclnsion  among  the  proee'sse's  acce'ssing  the-  elata.  I'lu' 
mutex  variable  is  locked  e-very  time  shareel  elata  is  a<<e'.s,see|.  Ilowe've'r.  this  may  re'snll  in 
priority  inversion.  .Suppo.se  reporter  is  iiisieh'  the  critical  se'etion.  anel  sensor  trie's  to  inse'it 
new  data  into  the  buffer  atra.  The  sensor  e  an't  ae'ce'ss  the  elata  and  bloe  ks.  waiting  for 
reporter  to  unlock  the  mutex.  .\ow  a  high  priority  proee'ss  is  wail  ing  for  a  low  prieerily 
process,  and  priority  inversion  oeenrs.  Figure  I  shows  this  situation. 

This  priority  inversion  .scenario  is  bouneh'el.  I'he  irporter  w\\\  eh'lay  t  he*  a.seu'oidy  while* 
it  i.s  inside  the  critical  sectieni.  Afte'r  the*  nporter  re'h'ase's  the*  le)e  k.  the  sensor  will  start 
executing,  and  the  priority  inversion  will  elisappe'ar.  We  can  cale  ulate'  the*  maximum  eluratie)n 
of  the  priority  inversion  as  the  time*  t.e)  e*xe*cut,e  the*  large*st,  e-ritie  al  se'e  t.ie)n.  anel  ine  e)rpe)rale' 
it  in  our  e-alculations  for  the  e'xe*rution  time*s.  'I'he  syste'tu  will  still  be*  pre'elie  tabh'.  althe>ugh 
there  may  be  a  little;  lo.s.s  in  ae  curae’y  in  e*xe*cutie)!i  time*  pre'elie  tieuis.  ('e)nse'e|ue'ntly.  if  the* 
system  is  well  elesigne*el,  anel  the*  e  ritfeal  se*ctie)ns  are  small.  be)unele'el  prie)rity  inve'rsie)ns  e  an 
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Figure  •');  rtil)ouiule<l  priorit}'  iiurrsioii 
be  tolerated,  without  loosing  predictal)ility. 

In  certain  cases,  it  is  possible  to  have  iinbouiuh'd  priority  iiivtusious  that  caiiMot  be 
solved  by  this  simple  method.  Suppose  a  third  process.  calle<l  th«'  itnalnzt  i-  is  adileil  to  tin- 
system.  This  process  reads  data  generated  by  oth<*r  <()inpon«'nts  of  th<'  air-trallic  controller 
and  processes  it.  The  anahjzfvh  less  im|K)rtnnt  than  the  >»  aso/  and  has  a  lowt'r  priority.  Mut 
it  is  more  important  than  the  n  poiit  r.  since  urgent  conditions  may  aris<>  as  the  rc'sult  of  tin' 
analysis  and  handling  them  is  more  im|>ortant  than  updating  the  screen.  Consider  now  tin* 
same  scenario  as  above,  with  the  irpnrtt  r  inside  the  critical  se<tion.  ami  tin'  ><  nsnv  wait  inn 
on  the  mutex.  .At  this  point,  the  nnnitjzrr  starts  e.xecnting.  It  will  block  tin'  n  pm-h  v.  since 
it  has  higher  priority.  However,  the  sfnsor  \s  waiting  for  tin'  n porti  r  (awA  tln'rf'lorf'  also  for 
the  nnalifzrr).  Since  the  /•  doesn  I  know  the  tx'lation  b<'lw('<'n  tin'  // //e/7( /■  ami  tin' 

sensor,  it  may  execute  for  an  unboumh'd  amount  «»f  lime  ami  dela\’  tin'  nsor  imh'linilely.  If 
a  catastrophic  event  (X'ciirs.  it  will  go  unnoticed.  i»ecanse  the  x  nsnr  is  blocked.  .\s  a  lesitll. 
the  behavior  of  th<'  sysU'in  becomes  unprefli<table.  Figun'  •')  shows  this  situation. 

Priority  inheritance  protocols  are  om'  way  of  pn'venting  uninmmleci  priority  inv<'rsions. 
•A  typical  proto<'ol  might  work  in  the  following  manner.  .\s  soon  as  a  high  priority  process  is 
blocked  by  a  low  priority  one.  t  in'  low  priority  process  is  temptnarily  given  t  in'  priority  of  t  In' 
blocked  process.  While  inside  the  critical  section  the  .s/  n.snc  is  trying  t()  acce'ss.  tin'  n  path  r 
will  execute  at  high  priority.  Wln'ii  tin*  n  /huI  f  r  vx'Us  tin'  iritical  sc'ction.  it  will  be  r<'stor<'d 
to  its  original  priority.  Iti  this  way.  tin'  nnalpzi  r  will  not  be  abh'  to  intc'rrupt  tin'  n  pnrh  r. 
when  the  .sen.sor  \s  waiting.  We  will  show  that  this  protocol  avoi«ls  tin'  unbomnh'il  priority 
inversion  problem  (except  po.s,sil)ly  for  deadlocks  in  accessing  synchronization  variable's). 
This  allows  the  designer  of  the  system  to  predict  tin'  ma.ximum  priority  invc'ision  linn',  as 
in  the  bounderl  ra.se. 

Priority  inversion  occurred  in  this  example  In'cau.sc'  tin'  r  pre*'mpl«'d  tin'  n  porh  r. 

Another  cause  of  priority  inversion  is  <|ueueiiig.  ( 'oiiimmiicat ion  protocols  may  c'xpc'ric'ucc' 
priority  inversion  for  this  reason.  For  examph*.  packc'ts  to  In-  sent  to  the  netwetrk  may  have* 


priorities.  Low  priority  packets  may  beefujiieiied  ahead  ot  liigli  priority  oik's  in  some  protocol 
queue.  In  a  prioritized  network  a  liigli  priority  packet  may  have  to  wait  lor  a  low  priority 
one  to  be  sent.  II'  medium  priority  packets  start  arriving  in  another  proc(>ssor's  (|ueue.  they 
may  monopolize  the  network,  preventing  high  j)riority  ])ackets  from  being  sent,  .\gain.  w(> 
have  unbounded  priority  inversion.  This  type  of  priority  inversion  could  also  happen  in  our 
system,  if  the  different  components  were  distributed  over  a  network,  hor  e.xainple.  st  nsor 
packets  could  be  queued  after  some  low  priority  packets  in  a  c|ueue.  while  anitljizir  |)ackets 
were  being  trasmitted. 

The  inheritance  mechanism  that  we  have  <lescribed  to  avoid  nnlM)unded  inversions  is 
called  basic  priority  inheritance  protocol,  riiere  are  other  priority  itdieritanee  protocols. 
Some  protocols  are  designerl  to  avoid  deadlocks  cause<l  when  t  ritieal  sections  an*  acce'sseei  in 
the  wrong  order.  Other  protocols  are  designeel  to  handle  rhaim  d  hoitnili  d  i>rinrihj  inn  /■.s/oe.N. 
.\  chained  inversion  occurs  when  a  high  priority  process  wants  to  lixk  n  mut(‘.\'<*s  that  are 
already  locked  by  low  priority  processes.  In  this  case,  the  high  priority  pro<  <'ss  has  to  wait  for 
all  low  priority  processes  to  finish  their  critical  sections.  While’  this  wait  is  boiinelexl.  it  may 
be  too  expensive  to  wait  for  the  diiratieni  e;f  all  e  ritieal  se'e  tienis.  One*  pexssible  se)hition  to  this 
problem  is  te)  a.ssign  prioritie’s  te)  critical  se’ctieuis.  base'el  on  the*  prie)rities  of  the*  preeee'sses 
that  may  acces.s  it.  .\  proeess  is  alle)we*el  te)  aeee’ss  a  critical  se'ction  only  if  its  prieuity  is 
higher  than  the  |)riority  of  all  eritieal  se*e  tie)ns  e  urre’titly  be'ing  aece'sse'el.  mon*  comph-te 
study  of  the,se  various  algorithms  anel  the'ir  <-harae  te*rist ies  can  be*  feniinl  in  fs.  1  1]. 

Our  implementatie)!!  e)f  the*  basie-  priority  itdie*ritanee*  proloiol  is  elise  usse'el  in  the*  full  v(*r- 
sion  of  the  paper.  Hie*  tlire'e  preie  e’sse's  are*  impleme'nle*d  as  de*scribe*el.  We*  want  te)  de‘te*rmine' 
if  the  sensor  can  starve; 

.\Ci{sn)sor. state  =  tryintj  —*  .  \Fs(  nstfr.stalt  =  critical) 

This  prope’rtv  is  false  withe)ut  the  |)rie)rity  inhe’iitanee  me*ehanism.  The*  pre)pe*rty  be-ceeme's 
true  when  prie)rity  inhe'ritanee*  is  aet ivate'el.  .\|e)re'e)ve*r.  we*  can  v(*rifv  that  there*  is  an  upper 
limit  on  the  time  the*  .se  a.se)c  e*nte'rs  the*  eritieal  se*etie)n  with  the*  ieelleewing  feuniula: 

.  Ifr'f.se  ;).sf;c..s/e</e  =  Iruniy  — *  .\  iis(/r.sl  a  1 1  =  ci'itical] 

9  Conclusions 

In  this  work  we  have  she)wn  he)w  te*m|)oraI  ieigic  inoele*!  e  he*e  kiug  e  an  lee*  use'el  tee  ve-rily  pre)|)- 
e»rties  of  real-time  syste*ms.  We*  e*xte*nele'el  an  e'xisting  symbeelie  nueeh'l  e  lu'e  ki'r  te)  hanelle* 
propertie’s  that  are  I  )unele*el  in  time*.  The*  hanndid  iiiitd  e)pe*rator  was  imple*me'nte*e|  te)  alleew 
the  expression  of  such  pre)pe*rtie*s. 

Timed  transition  graphs  were  preepeese'el  tee  e*.\te*tiel  e*ve*n  furthe*r  the*  e*.\pre'ssi\e*ne'ss  eef  the* 
tool.  In  a  TTO.  transitieetis  have  time*  beninds.  anel  a  transitie)n  e  an  take*  a  ne)ne|e'te*rininist ie 
time  to  e)e*cur  within  these*  beeunels.  This  alleews  the'  re*pri'se*ntat  ieeii  eef  meere  re'alistie  me)ele*ls. 
A  symbolic  moelel  e-he’eking  algen-ithm  wa.s  give'ii  Ie)  ve'iifv  prope*rtie*s  in  11(1  meeeh'ls. 

A.s  an  example e)f  the  u.se’fulne’ss  e)f  be)unelee|  e)perale)rs,  we*  elise  usse*el  the*  |)rie)rily  iuve*rsie)n 
problem  in  re?al  time*  syste’ins.  We*  feirmali/e'el  a  se)lutie)u  fe)r  a  partie  iilar  instanee*  e)f  this 


problem  ami  verified  that  it  was  correct  using  temporal  logic  model  cliecking  teclinic|ues. 

This  example  demonstrates  that  non-trivial  properties  of  real-time  systems  can  lx*  proven 

using  symbolic  model  checking  techni(iues. 
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